- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- timechart overlay multiple strings
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
timechart overlay multiple strings
I want to search 2 strings in log file, like "A string" & "B String", A string should be treated as successful and B as Failure. Next I want to overlay both as line timechart, where successful events should go above x-axis and Failure events go below x-axis or they are showed as different colors.How this can be done?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I do a timechart with 2 strings and also give a Alias names to the string . How can span the reults for 1 day within same query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should post this as a new question, or a comment, instead of an answer to the top question.
But to answer your answer: You can create an alias (called a search macro in Splunk) for a search string in the GUI under Settings - Advanced Search - Search Macros. To use the macro once it's been created, you have to surround your macro with backticks, like this: myawesomemacro()
As for span, you can use span=1d. Check the timechart search command help and you will find thespan option along with some example usage.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I knew that I had to post as new question and I even tried but continously gave me form error. That the reason I posted my question as an answer.
Anyways Thank you so much for the reply. it worked.
Sorry for inconvenience caused.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Iguinn,
It almost worked but how do I give alias to search string? My timechart shows Success and failure which I don't wanna show instead I want to give alias to them and also span for a day,Hi Thank you for your answer it almost worked but how do I give alias for search string and search for span of a 1day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are many ways, but this might be easiest.
source=logfilename "A string"
| eval series = "Success"
| append [ search source=logfilename "B string"
| eval series = "Failure" ]
| timechart count by series
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
